Microsoft 365 Message Center item MC1426371

MC1426371 - Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication

Microsoft Entra will make passkeys the default authentication method starting September 1, 2026, retiring Microsoft-provided SMS and voice authentication by February 1, 2027. Customers must configure telecom providers for SMS/voice via the Microsoft Security Store or face disruptions. Passkeys offer stronger, phishing-resistant security at no extra cost.

Message Center ID
MC1426371
Category
plan For Change
Severity
normal
Services
Microsoft Entra
Tags
User impact, Admin impact, Retirement
Published
2026-07-13
Last updated
2026-07-13
Expires
2027-02-28

[What and why]Passkeys will become the default authentication experience in Microsoft Entra on September 1, 2026. Telecom-based methods (SMS and voice) will transition to customer-configured providers through the Microsoft Security Store. The AI era demands stronger, phishing-resistant authentication. We are making passkeys the default authentication experience in Microsoft Entra to help customers securely adopt AI at scale.  As part of this transition, SMS and voice will no longer be available as multifactor authentication methods starting February 1, 2027. SMS and voice do not offer sufficient levels of security in comparison to passkeys. Traditional authentication methods including passwords, SMS one-time passcodes, and voice-based verification remain vulnerable to phishing, interception, and social engineering attacks.We strongly recommend moving away from telephony-based authentication methods to improve security and prevent identity attacks. Passkeys are included in all Microsoft Entra plans, so making this critical security change comes at no additional cost for you.  While we recommend adopting passkeys for phishing-resistant authentication as quickly as possible, we also recognize that some customers may have business needs that make an immediate transition impractical. In such cases, customers may continue to use SMS and voice by selecting a telecom provider in the Microsoft Security Store. [Rollout schedule] September 1, 2026: Rollout begins. Changes may take time to reach all tenants and will be deployed gradually. Passkeys will be automatically enabled for users currently enabled for SMS or voice. Registration Campaign will be set to Microsoft-Managed targeting passkeys for all users in eligible tenants. Users will be prompted to register a passkey during MFA sign-in; users will be able to skip. September 18th, 2026:review the telecom providers and related information available through the Microsoft Security Store to evaluate which optiohn best meets your regional and compliance requirements.October 30, 2026:  Customers who need to continue to use SMS or voice will be able to choose from a list of telecom providers available through the Microsoft Security Store. February 1, 2027: Microsoft-provided SMS and voice authentication will be retired. Only customer-configured telecom providers will support SMS and voice going forward. Passkeys become the default, recommended authentication method. If no action is taken, tenants relying only on Microsoft-provided SMS or voice may experience sign-in disruptions after February 1, 2027. [Impact on your organization]Who is affectedAll Microsoft Entra ID tenants enabled for SMS or voice authenticationUsers enabled for SMS or voice Platforms and servicesMicrosoft Entra IDMultifactor authenticationMicrosoft Security StoreWhat will happenPasskeys will be automatically enabled for eligible users and Registration Campaign for passkeys will be set to Microsoft Managed state starting September 1, 2026. Users will be prompted during MFA sign-in to register a passkey; users can skip the prompt.  Microsoft-provided SMS and voice will be retired on February 1, 2027.Organizations that still require telephony methods must configure a telecom provider in the Microsoft Security Store.Tenants that do not configure a provider and continue relying on Microsoft telephony will face SMS and voice authentication disruptions after retirement.[Action required and recommendations]Admins should take the following steps:Prepare for passkeysPlan to transition users to passkeys and communicate upcoming registration prompts. Decide if SMS or voice is still requiredIf SMS or voice is still needed, you must configure a customer-managed telecom provider. We recommend completing setup at least 4 weeks before the February 1 enforcement to allow sufficient time for testing and a cautious transition. Set up a telecom provider before February 1, 2027SMS and voice will only work after this date if a customer-configured telecom provider is enabled.  Use temporary opt-out if neededA temporary opt-out will be available for the September 1, 2026 through February 1, 2027 changes. This allows you to delay passkey and Registration Campaign enablement while you complete transition activities, such as configuring customer-managed telecom providers or migrating to other authentication methods. After February 1, 2027, passkey enablement will be enforced for all users in scope. Additional documentation and more information will be available on Microsoft Learn and the Tech Community.For more information please visit: https://learn.microsoft.com/entra/identity/authentication/concept-sms-voice-retirement more:Deploy passkey adoption campaigns with the Conditional Access Optimization Agent | Microsoft Entra | Microsoft LearnGet started with phishing-resistant passwordless authentication deployment in Microsoft Entra ID | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft LearnIt's Time to Hang Up on Phone Transports for Authentication | Microsoft Entra BlogPasskeys by default and retirement of Microsoft-provided SMS and voice authentication | Microsoft Entra | Microsoft Learn[Compliance considerations]Review as appropriate for your organization.